Software-as-a-Service (SaaS) is transforming the modern workplace as we know it.
But as SaaS adoption continues to rise and empower collaboration, it also creates hard-to-see threats and unforeseen challenges for IT.
Recent news headlines (like Hundreds of Companies Expose PII, Private Emails Through Google Groups Error, or Why Slack, Chatbots, And Freelance Workers Have Your IT Department Freaking Out) are indicative of these threats looming in the modern workplace. And with limited visibility into their SaaS environments, many IT professionals aren’t sure where these security threats reside or how to mitigate them—or that they’re even at risk.
As the adage goes, “You don’t know what you don’t know.” IT is essentially flying blind, but it’s not their fault. It’s nobody’s fault, as a matter of fact. We have not yet arrived at a time when we have official certifications or industry best practices in SaaS management.
IT has no way to get visibility into these hidden threats—aka blind spots, something they didn’t even know existed—until a security incident happens. Here are three of the most prevalent security blind spots in SaaS environments and why they exist:
Number of super admins (it’s more than you think)
Here’s a question for you: On average, how many super admins do you have in each SaaS app?
Most IT professionals believe they have one to three. However, we guarantee that you have more than you think. We’ve seen that most IT teams in reality have closer to 13-19 super admins.
Why does this happen? Employees often request elevated access to do a task or project. Because SaaS apps lack granular admin roles, IT is forced to assign super admin rights. However, these permissions are frequently left open and never revoked, even when the task or project is completed. There is no easy way to track or automate this process. As a result, you end up with a glut of super admins—multiple people with the “nuclear codes” to the missiles, so to speak. One of the most important security best practices is the least privilege model, but SaaS admins can’t implement it.
Admin permissions is a universal blind spot, and a critical one at that. Regulations like GDPR require you to control privileged access and minimize them as much as possible. Super admins have tremendous amounts of access and power. Do you really want 20+ people to have the “nuclear codes”? Each additional admin is an additional endpoint to hack and only increases your attack surface.
Number of ex-employees who still have access to data
Here’s another question for you: Are there any ex-employees who still have access to your organization’s data? How would you go about finding out? Would you know if they were continuing to log in? This is our second blind spot.
76% of IT professionals believe that former employees still have access to their organization’s data.
This high number speaks to the importance of proper offboarding. If employees aren’t offboarded thoroughly and completely, then they retain data access. And there’s a lot of damage ex-employees can do, particularly if they’re disgruntled (see: Fired IT Guy Puts Porn in Ex-Boss’ PowerPoint, Gets Sweet Revenge).
This blind spot exists because offboarding is a very manual, time-consuming process. Completely offboarding an employee (e.g., resetting sign-in cookies, wiping their device, transferring group ownership) is cumbersome. People put it off, much like chores or taxes, or they just forget to do certain steps altogether. This is a critical blind spot because it’s difficult for IT to know which ex-employees still have access, what level of access they have, which apps they have access to, etc.
Amount of exposed confidential or sensitive data
There are multiple places (more than you might think) for data to be exposed in SaaS environments.
In fact, 86% of IT professionals think (or aren’t sure if) they have confidential or sensitive data exposed. Many IT professionals readily admit or suspect their data is exposed, but they struggle with finding it. What kind of data is exposed, and who is it exposed to? IT teams have little visibility into these questions.
First, it’s important to point out that data exposure doesn’t just mean files—this is a common misconception. Data exposure can occur through emails, groups, calendars, and more in SaaS environments. Corporate data has slipped out via Google Calendar; PII via Google Groups; proprietary information via Slack.
Why does data exposure happen? Because the biggest advantage of SaaS is also its biggest risk. The whole point of collaboration platforms is to share data and, well, collaborate with others (both inside and outside your organization). For example, you can invite external guests, like contractors, into Slack channels or add them to an email distribution list. But this is where the security risks lie. If external users retain access after their contracts end, they’ll still remain privy to confidential information for weeks, months, or even years.
Data exposure can be malicious, but it can also be purely accidental. Often the difference between private and public default sharing settings is one simple radio button in the admin console. All it takes is one wrong click—and data can be exposed.
If documents are accidentally shared publicly by default, that’s a security risk. If an employee innocently forwards corporate emails to (and shares files with) his personal Gmail account, that’s a security risk. Your exposure points have just multiplied—but how would you know any of this happened? IT has little visibility into data exposure, which is why it’s a major blind spot in SaaS environments.
To learn more about other critical security blind spots and how you can fix them, download our whitepaper here.